Computer underground Digest Sun Jan 4, 1998 Volume 10 : Issue 01 ISSN 1004-042X Editor: Jim Thomas (cudigest@sun.soci.niu.edu) News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu) Archivist: Brendan Kehoe Shadow Master: Stanton McCandlish Shadow-Archivists: Dan Carosone / Paul Southworth Ralph Sims / Jyrki Kuoppala Ian Dickinson Field Agent Extraordinaire: David Smith Cu Digest Homepage: http://www.soci.niu.edu/~cudigest CONTENTS, #10.01 (Sun, Jan 4, 1998) File 1--Re: Salary Survey Results + SANS Update File 2--China clamps new controls on the Net File 3--THERE GOES THE NEIGHBORHOOD (CyberPatrol again) File 4--Personal Information No Longer Available (CDT reprint) File 5-- Clinton Signs "No Electronic Theft Act" File 6--No Electronic Theft Act; who's to judge? File 7--Cu Digest Header Info (unchanged since 7 May, 1997) CuD ADMINISTRATIVE, EDITORIAL, AND SUBSCRIPTION INFORMATION APPEARS IN THE CONCLUDING FILE AT THE END OF EACH ISSUE. --------------------------------------------------------------------- Date: Wed, 24 Dec 1997 16:19:26 -0500 (EST) From: The SANS Institute Subject: File 2--China clamps new controls on the Net China clamps new controls on the Net Reuters BEIJING -- China clamped sweeping new controls on the Internet on Tuesday, warning that the network was being used to leak state secrets and to spread ``harmful information.'' Regulations unveiled by Zhu Entao, Assistant Minister for Public Security, cover a wide range of crimes, including leaking state secrets, political subversion and spreading pornography and violence. The rules are also designed to protect against computer hacking, viruses and other computer-related crime. They call for unspecified ``criminal punishments'' and fines of up to 15,000 yuan ($1,800) for Internet providers and users who violate the rules -- both individuals and business organisations. One article says the Internet must not be used to ``split the country,'' a clear reference to separatist movements in Tibet and the Moslem region of Xinjiang. Another on ``defaming government agencies'' appears designed to combat use of the Internet by dissidents. A number of Chinese political exiles have home pages which they use to attack the Beijing government. The regulations explicitly cover information circulating from Hong Kong, Macau and Taiwan. Hong Kong reverted to Chinese rule this year and Portuguese-run Macau will be handed back in 1999. China regards Nationalist-ruled Taiwan as a rebel province. The official Xinhua news agency quoted Zhu as telling a news conference on Monday that Internet links since 1994 had boosted China's cultural and scientific exchanges with the world. ``But the connection has also brought about some security problems, including manufacturing and publicising harmful information, as well as leaking state secrets through the Internet,'' he said. The regulations, contained in 25 articles, were approved by the State Council, or cabinet, on December 11 and took effect Tuesday. They go beyond earlier provisional regulations first promulgated in February 1996 and revised in May 1997, which also ban pornography and warn against leaking state secrets. Chinese authorities have made attempts to censor pornography, politics and Western news organisations on the Internet. But with scores of providers, Chinese surfers have been able to find almost anything they want. It was not immediately clear whether Beijing would devote more resources to policing the Internet now that new regulations were in place. Xinhua cited figures from the Internet Information Centre of China showing more than 49,000 host computers and 250,000 personal computers were connected to the Internet at the end of October. Under the new regulations, Internet providers would be subject to supervision by Public Security officials and would be required to help track down violators. Zhu said the regulations would ``safeguard national security and social stability,'' Xinhua said. Computer networks were now indispensable as tools for managing state affairs, economic construction, defence and science and technology, he said. They were a pillar of social development. ``Hence, the safe and effective management of computer information networks is a prerequisite for the smooth implementation of the country's modernisation drive,'' he said. ------------------------------ Date: Tue, 23 Dec 1997 12:25:01 -0800 From: Jonathan Wallace Subject: File 3--THERE GOES THE NEIGHBORHOOD Jonathan Wallace The Ethical Spectacle http://www.spectacle.org Co-author, Sex, Laws and Cyberspace http://www.spectacle.org/freespch/ THERE GOES THE NEIGHBORHOOD (CyberPatrol again) CyberPatrol blocks a gay community of 23,400 Web sites by Jonathan Wallace jw@bway.net Censorware software vendors say that they rarely make mistakes, and correct them quickly when called to their attention. CyberPatrol's block of an online neighborhood called West Hollywood sheds some interesting light on this assertion. Geocities is a free Web hosting service, organized into "neighborhoods" of shared interests. The West Hollywood neighborhood of Geocities, http://www.geocities.com/WestHollywood/, is for gay people. The entire West Hollywood neighborhood, of 23,400 separate Web sites, is blocked by CyberPatrol, a product of Microsystems Inc., a Boston company. There were a few hardcore pictures on a few West Hollywood Web pages, despite Geocities terms of service which ban pornography on the system. There were tens of thousands of other pages which contained no objectionable material at all. CyberPatrol critics say that Microsystems threw out a very large baby with a small amount of bathwater. Bob Parker is the Community Leader Liaison for West Hollywood--a sort of volunteer Webmaster. In a long, impassioned post to the fight-censorship mailing list, cross-posted to Microsystems and numerous other recipients, he quoted the Geocities terms of service, which ban the display of "material containing nudity or pornographic material of any kind." The company also has a full-time "Community Response Team" which investigates complaints filed by anyone, Geocities customer or not, about violations of the terms of service. In addition, West Hollywood maintains its own "Neighborhood Watch" program. Parker pointed out that Microsystems chose to block a community of 23,400 sites when there was an alternative: "[A]ll it would have taken was a few minutes of investigation on the part of Microsystems to find out about the Neighorhood Watch program at GeoCities, get the sites taken care of and avoid this whole situation." Challenged to justify the West Hollywood block, Microsystems CEO Dick Gorgens reacted equivocally. "Upon my review, you were absolutely correct in your assessment that the subdirectory block on WestHollywood is prejudicial to the Gay and Lesbian Geocities community," he told the Gay and Lesbian Alliance Against Defamation, a group which sits on a CyberPatrol oversight committee convened by Microsystems. But then he seemed to claim that the majority of West Hollywood web pages are pornographic: "We took the 'easier' approach to blocking the small number of actionable non-nudity publishers in that area rather than individually sanctioning them." But he acknowledged that "[t]aking that technique to the limit would have us pull the plug on the entire Internet which is obviously not our plan." He pledged that the West Hollywood "problem" would be corrected within a week. Two weeks later, it still has not been. "GLAAD was extremely disappointed that such a discriminatory move was made by Microsystems," wrote Loren Javier, the organization's interactive media director. Critics had suggested that the organization reconsider its role in advising Microsystems--that the organization might be providing cover to the company without actually preventing the product from blocking legitimate gay-oriented sites. Javier wrote: "The issue now is whether GLAAD will continue to serve on the oversight committee. I have sent a message to Dick Gorgens with conditions that I be able to review the complete block list and that I be able to ask why sites have been blocked." Microsystems has not previously allowed its oversight committee members to view the CyberNot list. The blocking of West Hollywood raises the issue of whether it is possible to filter the Internet at all. At five minutes per site--a very cursory amount of time to determine whether a Web page is "appropriate" under Microsystems' criteria--it would take a company employee 1950 hours, a little more than one person-year, to review every site in West Hollywood. And West Hollywood's pages constitute just a tiny drop of the estimated 200 million documents on the Internet. Though Microsystems says that it uses a tool called Cyber Spyder to winnow the Net and select sites for review, every page returned by the tool as a potential candidate for blocking is still reviewed by a human being. No-one seriously claims that any software possible today is capable of making the kinds of subjective determinations necessary in evaluating the "appropriateness" of Web pages. Censoring the net will always be a labor-intensive effort. The blocking of West Hollywood is not an isolated instance. A report issued this week by The Censorware Project, an ad hoc group of which I am a member, lists fifty Web hosting services blocked in their entirety by Cyberpatrol, even though the majority of user pages on these services are legitimate. One of them, members.tripod.com, hosts 1.4 million Web pages. (Source: "Blacklisted by CyberPatrol: From Ada to Yoyo," http://www.spectacle.org/cwp/.) Faced with the near impossible task of reviewing the entire Net, censorware companies like Microsystems will continue to take the easy way out. --------------------------------------------------- (On Monday, December 22, 1997, Washington attorney Robert Corn-Revere filed a ground-breaking federal lawsuit challenging the use of another censorware product, X-Stop, in the Loudoun County, Va., public library (http://www.pfaw.org/press/loudon_complaint.htm). I'll discuss the case in an upcoming SLAC bulletin.) ------------------------------ Date: Thu, 18 Dec 1997 11:36:55 -0500 From: Graeme Browning Subject: File 4--Personal Information No Longer Available (CDT reprint) A briefing on public policy issues affecting civil liberties online ------------------------------------------------------------- CDT POLICY POST Volume 3, Number 16 December 18, 1997 CONTENTS: (1) Industry Responds to Online Community RE: Personal Information (2) How to Subscribe/Unsubscribe (3) About CDT, Contacting us ** This document may be redistributed freely with this banner intact ** Excerpts may be re-posted with permission of |PLEASE SEE END OF THIS DOCUMENT FOR SUBSCRIPTION INFORMATION| ___________________________________________________________________ (1) INDUSTRY RESPONDS TO ONLINE COMMUNITY'S OUTRAGE OVER WIDESPREAD AVAILABILITY OF PERSONAL INFORMATION Dec. 18--In the wake of last year's public uproar over the providing of unique, personal identifiers like Social Security numbers, unlisted phone numbers and birthdates over the Internet, the country's three leading credit bureaus and individual reference services have pledged to stop making that information available to the general public, according to a report the Federal Trade Commission (FTC) released yesterday. The Center for Democracy and Technology (CDT) applauds the FTC, the credit bureaus and the reference services for their work, but warns that it doesn't entirely solve the problem of protecting consumers at a time when Web sites that provide fast, easy access to public records containing personal information on individuals are proliferating. The Individual Reference Services Group (IRSG)--an industry coalition composed of Experian, LEXIS-NEXIS, Equifax Credit Information Services, Inc., Trans Union Corp., and 10 other companies--has agreed to abide by a set of self-regulatory principles aimed at curbing access to sensitive private data on individuals. The issue of personal information made widely and easily available to the general public via the Internet first drew a public outcry in September 1996 when LEXIS-NEXIS began offering individuals' mothers' maiden names, Social Security numbers and dates of birth on its "P-Trak" database. At the height of the controversy Congress asked the Federal Reserve Board and the Federal Trade Commission to study the privacy implications of this practice. The FTC's report is available at http://www.ftc.gov/opa/9712/inrefser.htm. The Federal Reserve Board issued its report earlier this year. "The companies involved in the IRSG's effort are to be commended for stepping up to the plate and crafting the most comprehensive set of self-regulatory guidelines of any US industry, however, a number of important consumer and privacy issues remain to be addressed before this can be considered a complete solution," said CDT Staff Counsel Deirdre Mulligan, who focuses on privacy issues. COMPANIES' PROPOSAL RESPONDS TO PRIVACY CONCERNS The IRSG proposal responds to concerns raised by Internet users and privacy advocates last September, available at http://www.cdt.org/privacy/960920_Lexis.html, by: * prohibiting the distribution of Social Security Numbers, dates of birth, unlisted phone numbers, and mothers' maiden names to the general public; * prohibiting "reverse Social Security Number (SSN)" look-ups (finding a name or address based on an SSN); * requiring companies offering look-up services to the general public to allow people to "opt-out" of these databases; * providing individuals with access to information held by the companies that does not come >from public records; and * prohibiting the distribution of information about children unless it is for the purpose of locating a missing child. Experian, LEXIS-NEXIS and the other companies have promised to exchange database information only with other companies who also follow these principles, a decision that will increase the principles' effectiveness. Signers of the IRSG proposal also agree to undergo yearly audits of their practices and to make those audits available to the public. The audit records and the principles will help the FTC investigate instances where companies have not complied with the guidelines. SEVERAL IMPORTANT AREAS STILL BE BE ADDRESSED BY GUIDELINES The IRSG proposal falls short of providing complete protection for sensitive consumer information in a number of important areas, Mulligan said. They include the following: * Individuals will not be provided access to public records held by the companies that sign the proposal. CDT believes that the companies should provide individuals full access to their own personal information. These companies have an important role to play--just as they serve as a one-stop shopping source for other businesses, they should allow individuals access to information >from a centralized source. * Individuals will not be notified of adverse decisions based on data in the companies' files. Many people are unaware that others are using information services to make decisions about them. If data in a company's file comes from inaccurate public records or has been inaccurately transcribed, a consumer could be harmed. People should be notified when information >from the IRSG companies' files are used to make decisions about them so that they can correct inaccurate data, challenge inaccurate assumptions, or deal with real problems reflected in the data. * The IRSG companies will not maintain detailed audit trails, even though they will undergo yearly audits. CDT believes that accountability requires strict oversight over access to and use of personal information. When the end-users of sensitive personal data are law enforcement personnel, employers, or others who can exercise power over the consumer, an audit trail that documents the end-user's treatment of personal information would help curb abuses, prevent unauthorized access, and provide accountability to the system. * Individual consumers have no SIMPLE way to SEEK RELIEF from violations of the guidelines. The IRSG proposal doesn't provide a grievance process nor remedies for consumers who believe credit decisions have been made on the basis of inaccurate data. CDT hopes that the industry and the FTC will work to craft a grievance process and remedies that are responsive to consumers' needs. CDT believes that the IRSG proposal is a noteworthy step towards meaningful self-regulatory guidelines. We commend the FTC for their work in this area and encourage the agency to continue to monitor not only further developments in this area, but also the implementation and compliance with the IRSG guidelines. Strong enforcement of the guidelines and consumer education are key to effective work in this area. Still, as we noted last year, the wide spread availability and use of public record information is a continuing breeding ground for privacy concerns. See http://www.cdt.org/privacy/961008_Sen_let.html. As the FTC notes in its report, "the easy availability of sensitive, unique identifiers (e.g. Social Security number, mother's maiden name, and date of birth) listed on public records increases the risk of serious harm." Those IRSG companies with Web sites include: Acxiom Corporation http://www.acxiom.com/ CDB Infotek, a choicePoint Company http://www.cdb.com/public/ Equifax Credti Information Services, http://www.equifax.com/ Experian http://www.experian.com/ First Data Solutions Inc. http://www.firstdatacorp.com/busunits/busunits.html#fds Information Amercia Inc. http://www.infoam.com/ IRSC Inc http://www.irsc.com/ LEXIS-NEXIS http://www.LEXIS-NEXIS.com/ Metromial Corporation http://www.metromail.com/ Trans Union Corp http://www.transunion.com/ ________________________________________________________________ (2) SUBSCRIPTION INFORMATION Be sure you are up to date on the latest public policy issues affecting civil liberties online and how they will affect you! Subscribe to the CDT Policy Post news distribution list. CDT Policy Posts, the regular news publication of the Center For Democracy and Technology, are received by more than 13,000 Internet users, industry leaders, policy makers and activists, and have become the leading source for information about critical free speech and privacy issues affecting the Internet and other interactive communications media. To subscribe to CDT's Policy Post list, send mail to majordomo@cdt.org in the BODY of the message (leave the SUBJECT LINE BLANK), type subscribe policy-posts If you ever wish to remove yourself from the list, send mail to the above address with a subject of: unsubscribe policy-posts __________________________________________________________________ (3) ABOUT THE CENTER FOR DEMOCRACY AND TECHNOLOGY/CONTACTING US The Center for Democracy and Technology is a non-profit public interest organization based in Washington, DC. The Center's mission is to develop and advocate public policies that advance democratic values and constitutional civil liberties in new computer and communications technologies. Contacting us: General information: info@cdt.org World Wide Web: http://www.cdt.org/ Snail Mail: The Center for Democracy and Technology 1634 Eye Street NW * Suite 1100 * Washington, DC 20006 (v) +1.202.637.9800 * (f) +1.202.637.0968 ------------------------------ Date: Mon, 22 Dec 97 20:09:06 EST From: Computer Privacy Digest Moderator Subject: File 5-- Clinton Signs "No Electronic Theft Act" Source: Computer Privacy Digest Mon, 22 Dec 97 Volume 11 : Issue: 025 From--Monty Solomon Date--17 Dec 1997 14:31:46 -0500 Clinton signs Net antipiracy act By Courtney Macavinta December 17, 1997, 10:00 a.m. PT President Clinton signed a law that makes online piracy a felony offense, even if the guilty parties never profit from exchanging unauthorized digital copies of software, music, or literature. Drafted by Rep. Bob Goodlatte (R-Virginia), the No Electronic Theft (NET) Act, signed yesterday, makes distributing or possessing illegal copies of online copyrighted material a federal crime if the value of the works is $2,500 or more. Based on the new law, offenders could get up to five years in prison and a $250,000 fine for "willfully" possessing ten or more illegal digital copies of film clips or computer programs, for example. A misdemeanor charge will be filed for copied material with a retail value of $1,000 or more, and comes with up to a one-year jail term. There are a slew of high-tech and Net-related bills awaiting Congress members when they return from vacation in January. So far, however, the NET Act is only the third high-tech bill signed by Clinton this year. In August, the president approved an export tax exemption of up to 15 percent for the software industry, which other industries had enjoyed since 1971. He also approved $425 million for the Education Department's Technology Literacy Challenge Fund, which allocates funds to states for hardware, software, and online access. The Software Publishers Association (SPA) and the U.S. Copyright Office lobbied for the bill's passage. But the 80,000-member Association for Computing Machinery urged Clinton to veto the bill. The international group of computer scientists argued that the law would undermine the public's right to use portions of copyrighted material under the U.S. 'fair use' doctrine. However, some legal experts disputed the association's claims. Still, the new law gives the Microsoft-backed SPA more ammunition in its ongoing crackdown on alleged Net pirates who share, as opposed to selling, unauthorized copies of valuable software. Internet editor Jeff Pelline contributed to this report. ======== The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the moderated USENET newsgroup comp.society.privacy. Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. ----------- A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Web browsers will find it at http://www.uwm.edu/org/comp-privacy/ People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Ftp users should Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". ------------------------------ From: George J Kamenz Sender: George J Kamenz Subject: File 6--No Electronic Theft Act; who's to judge? Fortunately (for the those who might be accused, rather than the author) "retail price" is not the same as a falsely inflated list price. An attempt to pursue an action based on a falsely inflated prices is very nearly doomed. As long as the accused or the accused's attorney is aware of the past rulings that deal with actual prices paid rather than one falsely claimed by the accuser everything will work out okay. The same holds for selective enforcement of copyrights. The main reason a huge, rich firm like Disney goes after every copyright violation so fiercely, even one by a small, poor day care center with hand painted, not-for-profit, just to amuse the children material, is to maintain the copyright. If the accused or the accused's attorney is aware of the rulings that deal with selective enforcement everything will work out okay. Of course that isn't to say the accused isn't going to have to spend money and time on a defense, after all justice isn't free. On Mon, 22 Dec 1997, Cu Digest wrote: > From: wouter van den berg > Just one of the many scary aspects of the NET-Act, is that whether or > not copyright infringment is a criminal offense is dictated by the > "retail value". > One way to abuse this is to put a pricetag on, for example, your > homepage. If it's visited by some-one you dislike, you can then press > charges. ------------------------------ Date: Thu, 7 May 1997 22:51:01 CST From: CuD Moderators Subject: File 7--Cu Digest Header Info (unchanged since 7 May, 1997) Cu-Digest is a weekly electronic journal/newsletter. Subscriptions are available at no cost electronically. CuD is available as a Usenet newsgroup: comp.society.cu-digest Or, to subscribe, send post with this in the "Subject:: line: SUBSCRIBE CU-DIGEST Send the message to: cu-digest-request@weber.ucsd.edu DO NOT SEND SUBSCRIPTIONS TO THE MODERATORS. The editors may be contacted by voice (815-753-6436), fax (815-753-6302) or U.S. mail at: Jim Thomas, Department of Sociology, NIU, DeKalb, IL 60115, USA. To UNSUB, send a one-line message: UNSUB CU-DIGEST Send it to CU-DIGEST-REQUEST@WEBER.UCSD.EDU (NOTE: The address you unsub must correspond to your From: line) Issues of CuD can also be found in the Usenet comp.society.cu-digest news group; on CompuServe in DL0 and DL4 of the IBMBBS SIG, DL1 of LAWSIG, and DL1 of TELECOM; on GEnie in the PF*NPC RT libraries and in the VIRUS/SECURITY library; from America Online in the PC Telecom forum under "computing newsletters;" On Delphi in the General Discussion database of the Internet SIG; on RIPCO BBS (312) 528-5020 (and via Ripco on internet); CuD is also available via Fidonet File Request from 1:11/70; unlisted nodes and points welcome. In ITALY: ZERO! BBS: +39-11-6507540 UNITED STATES: ftp.etext.org (206.252.8.100) in /pub/CuD/CuD Web-accessible from: http://www.etext.org/CuD/CuD/ ftp.eff.org (192.88.144.4) in /pub/Publications/CuD/ aql.gatech.edu (128.61.10.53) in /pub/eff/cud/ world.std.com in /src/wuarchive/doc/EFF/Publications/CuD/ wuarchive.wustl.edu in /doc/EFF/Publications/CuD/ EUROPE: nic.funet.fi in pub/doc/CuD/CuD/ (Finland) ftp.warwick.ac.uk in pub/cud/ (United Kingdom) The most recent issues of CuD can be obtained from the Cu Digest WWW site at: URL: http://www.soci.niu.edu/~cudigest/ COMPUTER UNDERGROUND DIGEST is an open forum dedicated to sharing information among computerists and to the presentation and debate of diverse views. CuD material may be reprinted for non-profit as long as the source is cited. Authors hold a presumptive copyright, and they should be contacted for reprint permission. It is assumed that non-personal mail to the moderators may be reprinted unless otherwise specified. Readers are encouraged to submit reasoned articles relating to computer culture and communication. Articles are preferred to short responses. Please avoid quoting previous posts unless absolutely necessary. DISCLAIMER: The views represented herein do not necessarily represent the views of the moderators. Digest contributors assume all responsibility for ensuring that articles submitted do not violate copyright protections. ------------------------------ End of Computer Underground Digest #10.01 ************************************